We were able indeed to bypass the SOP for images served with 302 and with the data
protocol (e.g. data:image/png;base64) and exfiltrate the image. You can find the detail of the issue in the mentioned blog post from Christian (our attack did not make use of the browser cache though)

- click "exploit step 1" (this is just an intermediate step to load the image)
-
click "exploit step 2" and appreciate the exfiltrated image in the
alert message (substring) and the full one in the console…